Achieving Secure Web Security and Web Security Solutions

As emphasized in the “Understanding Web Security” page, the key to Web security is Web application security, as well as web security solutions. Web application security also requires a thorough understanding of the web application’s administrator; secure security is assured when deployments are achieved.

Let’s take a closer look at web application security and introduce some of
the most important web security solutions that are really needed to build
application security. Let’s look at each role and its functions.

Web application security and web security solutions

Application security needs to take care of everything from the initial development phase to the post-deployment maintenance. However, it is true that many people find it difficult to build Web application security due to lack of understanding of the solution’s functionality or where it is introduced. However, it can be easily understood by analogy to web application security and building a house where each solution works.

Web application security solution diagram

Secure Coding Secure Coding

The development stage can be thought of as the process of building a house.
When building a house, you must build a strong, secure brick house on a solid
foundation. Think of it as an application, it’s like secure coding with secure
sources and programs, eliminating code that can be exploited by
vulnerabilities.

Secure coding refers to a method of writing code that considers security from the design stage in order to minimize the vulnerabilities that can occur due to various reasons such as lack of knowledge or mistakes of the developer during the development process or inherent weakness of each programming language . In application development, it is more important to develop securely and systematically than building speed. Introducing a Web security solution in an unsecured development environment is just a temptation, as if it were a twist.

Web Scanner

You need to periodically run a web scanner that checks your application
from the outside, such as checking the brick for cracking or tilting the house
after the house is finished. Web scanners are called web vulnerability checking
tools and are programs that analyze potential vulnerabilities or design
vulnerabilities by communicating outside the web application.

There are many types of web scanners on the market, and there are various web scanners that are also available for non-commercial use. The performance of web scanners can be different, but the key is that you need to check the status of your application periodically and consistently through a steady check to see the effect.

Web server malware detection – Web-Based Malware Detection

After that, it is necessary to check whether there is rain in the house or
whether there is a hole where the worm can hide. This can be checked through a
web server malware detection solution.

Like web scanners, web server malware detection solutions are also required
to be periodically checked and executed.

Web Firewall – Web Application Firewall

Once we build our house, we protect our homes from unexpected outside
access and produce hedges or walls to ultimately compensate for the internal
hazards we have not found yet. In application security, the Web Application
Firewall acts as a fence.

Web firewalls are used to detect and respond to external intrusion or web
attacks over the Web. Web Firewall not only protects Web security
vulnerabilities from being exposed to the outside world, but also blocks other
attacks from outside before they are attacked. It also prevents web server
malware from being uploaded to the web server. This is because a web firewall
is developed specifically for web applications, unlike a normal firewall. In
addition, unlike other solutions, it does not have to be built / applied to the
server, and can be conveniently installed outside.

In the case of the newest web firewall, it is possible to block a wide
variety of web attacks in real time and to apply rules through learning mode.

Data Security

Finally, it is important how to keep the most important assets such as cash
and bankbooks in the house. Applications can view these properties as sensitive
data (Data) such as personal information, card information, and account
information. In a typical web application environment, a database (DB) is built
to store and manage data.

In order to manage data securely, it is necessary to manage data safely by
introducing a web security solution related to data security. In general, we
are introducing a number of data encryption solutions that make it impossible
for hackers to recognize the data they ultimately want by encrypting their
data. However, you should pay more attention to access control and audit logs
to determine who is accessible and when it was accessed, rather than ending
with encryption. In data encryption, it is very important to manage the key to
open the encrypted data, so care must be taken in key management.

Completion of web security

The web security solution mentioned above can be arranged according to each
layer, and it can be drawn as the following picture.

Web security 3-tier and layer-by-layer security solutions

It is imperative to understand the characteristics of each security layer
and to pay attention to achieve secure web security by introducing a web
security solution in the right place. In addition, although application
security is the most important part of web security, it should not be
overlooked that security of web and system should be based on security.

“An organization’s overall Security is just as hard as its weakest
Link.”

There is a saying.

The weakest part of many security factors determines the security level of
the entire company. In other words, paying attention to all layers of security
in a balanced way, and introducing appropriate solutions for each layer of
security problems is the best way to increase security.

The market for Web security solutions is growing every year. According to a
report released by Frost & Sullivan in 2012, the Asia Pacific content
security management market will reach $ 1.757 billion (approx. KRW 1.7
trillion) by 2017, with annual market growth of around 17.9% I looked out.
Compared to the typical IT industry growth rate of 7 to 9%, this is a
tremendous growth rate.

As the market grows, it will be possible to achieve secure web security by
judging the functions wisely and deploying the web security solution in the
correct place for each web security solution, now and in the future, with
numerous web security solutions coming out. is.

Popularization and Severity of Web Threats

The web, which we commonly know as the Internet, could only be used in
places where the PCs were in the past, but

since the development of mobile devices, including smartphones, the web has
become available to everyone anywhere: Internet Explorer, Chrome, In addition
to Internet browsers such as Safari, KakaoTalk, which is used in smartphones,
and other mobile apps such as messenger and mobile games, are all on the web.
Mobile apps all communicate based on the same web as the existing Internet,
even if they look different. As mobile devices using the web become popular,
various services such as financial transactions and complaints handling have
become possible. Now, the web has become a very important role in our daily
life.

However, as the web became popular, cyber attacks targeting information or
assets of the corporation were also increasingly targeted. Because the Web is
like a pathway leading to an important asset of the enterprise, the moment the
Web is attacked, it can lead to serious secondary damage such as leakage of
personal information, financial damage, internal system destruction.
Nonetheless, most companies are concerned about the security of the corporate
office, which is a physical space, while they are neglecting the security of
the Web, the cyberspace.

Web Threat Example

First of all, if you look at events that have occurred in the past, the
case of auction hacking that leaked more than 10 million personal information
occurred in February 2008, There is a leaked Nate (SK Comms) hacking case. In
the case of auction hacking case, it is an incident that hacked the web server
through the web and leaked personal information after accessing the DB server.
In case of Nate hacking case, It was found that personal information was leaked
by attempting to access DB server from infected internal PC.

Next, there is a 3.20 hacking case that has become a big issue recently in
financial and media hacking.

In the case of this hacking case, it is presumed that both the web server
hacking and the internal PC hacking method are used in the first hacking
method. Web server hacking using Web site bulletin vulnerability has secured
1st and 2nd C & C (Command Control) servers and it has been confirmed that
the internal PC of the target company is infected through malicious code. Next,
internal information is collected through C & C server To the internal PC
that infected the malicious code for the malicious code, and finally by
infecting the update management server, distributing the malicious code, and
destroying the internal system of the enterprise.

As you can see from the examples of Web security threats above, it can be
seen that cyber attacks, which became a recent issue, are all being attacked
via the Web. The point here is that all of these cases were enough to prevent
the introduction of appropriate Web security solutions.

In other words, building a secure web security system with adequate
understanding of web security and proper deployment of web security tools is an
important responsibility of the era of web popularity before it can cause
serious damage from web threats.

In terms of IT terms, the devices used to access the Web are [Client], a
Web site that stores Web content such as a Web site or a mobile app screen, and
a system that displays the content when a client accesses it [ Server]. (In the
IT system, not all servers are web servers, but here we discuss web security.
Let’s take a web server as an example.)

At this time, the connection network that connects the client and the web
server is [Web].

From a security standpoint, client security is generally related to the
security of individual systems, and server security is related to the security
of enterprise systems. We will look at server security, which is at the heart
of web security in the enterprise.

To understand server security, let’s first look at the server system.

Because the server system in the enterprise basically follows the structure
of the IT system, knowing the structure of the IT system can understand the
structure of the server system.

As you can see in the picture above, the IT system consists of three
layers: network, system, and application. These three tiers are building an IT
system by interacting with each other.

The network layer plays a role in the communication related to data
transmission and reception, and the system layer serves as a platform in which
various applications can operate, such as the role of an operating system (O /
S) such as Windows and Linux, I will. The application is responsible for
providing protocols (rules and commitments on how to communicate when sending
and receiving information between computers) and application services running
on this system layer.

In the end, secure server security means that all three layers of security
in this IT system – network security, system security and application security
– are securely deployed.

Let’s take a look at how security for each layer of the IT system related
to Web security is actually built.

For network security, it is necessary to control access to the unsecured IP
or port, and it is also necessary to check whether the traffic is allowed to
come from the allowed IP or port (the amount of data flowing in a certain time
on the transmission line). For network security, most enterprises build
firewalls and intrusion detection / prevention systems (IDS / IPS).

System security is mostly related to O / S. Manufacturers responsible for
the development and delivery of O / S for Windows, Linux, Unix, etc. are
prepared against known web threats through periodic security updates and
patches on their systems. Corporate security officers should keep their systems
secure at all times, not only through security updates and patches, but also
through periodic system malware reviews. To ensure system security, companies
often build antivirus solutions.

As such, most companies are understanding network and system security and
are working to build security accordingly. But the situation of application
security is not. Because the application layer is more sophisticated than the
network or system layer, and because of the variety of applications, most
security administrators face many challenges in applying security.

Ironically, application security is of the utmost importance to web
security.

Most of the web sites and mobile apps that we commonly use are composed of
applications, and web attacks that target them are mostly application attacks
that use the vulnerabilities of applications. It is no exaggeration to say that
more than 90% of all current web attacks are attacks on Web applications.

Stay connected

Guidex Pro is an online web magazine portal which has multiple categories. It provides interesting, high quality and valuable information and articles, which educate and entertain to all the visitors according to their interests and fields.